Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
one_co_il
New Contributor

Created on ‎11-12-2018 07:16 AM

Link-Monitor on Ipsec Tunnel

Hi

I want to setup Link-monitor on my VPN tunnel.

can't understand what to config at the Gateway IP.

it is a site to site (FG to FG Tunnel).

9977
0 Kudos
6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

Created on ‎11-12-2018 09:00 AM

Regularly the gateway IP is the tunnel interface IP on the other end, while the destination IP can be anything behind it.

3394
0 Kudos
one_co_il
New Contributor
In response to Toshi_Esumi

Created on ‎11-12-2018 11:08 AM

toshiesumi wrote:

Regularly the gateway IP is the tunnel interface IP on the other end, while the destination IP can be anything behind it.

I understand, actually when i setup IPsec to AWS it works fine because the interface was setup with IP

when i setup site to site VPN the interface has no IP

IP is 0.0.0.0

Remote IP to 0.0.0.0

 

 

3394
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to one_co_il

Created on ‎11-12-2018 11:17 AM

You should set interface IPs on both ends of the tunnel if both sides are interface mode/route-base IPSec. Otherwise you can't use features like link-monitor since the default route must be routing to the outside of the tunnel.

3394
0 Kudos
one_co_il
New Contributor
In response to Toshi_Esumi

Created on ‎11-12-2018 12:46 PM

toshiesumi wrote:

You should set interface IPs on both ends of the tunnel if both sides are interface mode/route-base IPSec. Otherwise you can't use features like link-monitor since the default route must be routing to the outside of the tunnel.

I can set any ip I would like?

for Example 

FG A IPsec Interface

IP 169.254.50.150

Remote IP 169.254.40.150

FG B IPsec Interface

IP 169.254.40.150

Remote IP 169.254.50.150

3394
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to one_co_il

Created on ‎11-12-2018 12:56 PM

It should work although I never used link-local addresses. Don't forget to put subnet mask 255.255.255.255 on the local IP. From 5.6, remote-ip also requires subnet mask.

3394
0 Kudos
one_co_il
New Contributor
In response to Toshi_Esumi

Created on ‎11-18-2018 02:59 AM

toshiesumi wrote:

It should work although I never used link-local addresses. Don't forget to put subnet mask 255.255.255.255 on the local IP. From 5.6, remote-ip also requires subnet mask.

Hi

I setup everything Just the way i setup AWS Tunnels

with the Local and remote Its (AWS also use subnet 169.254.X.X for the link monitor)

but can't gate any indication of the Tunnel Status on Link Monitor (I know the tunnels are UP and traffic working correctly)

here is what i get on Link Monitor (compared to AWS Tunnels)

3394
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.